Browser security redux

By Ron Grattopp …..About 6 months ago, I did a post around including browser security as part of your customer conversations. As we move forward in this ever more mobile, cloud-oriented computing paradigm where the browser becomes THE central app, I believe browser security should be an even larger part of the security solution equation than ever before. In fact, NSS Labs, a completely independent testing organization, in their recent report "Is your Browser Putting You at Risk?" supports the conclusion that users should "evaluate browser security as part of their layered security strategy."

Of course, one of the reasons I want to make this case is that IE9 blew away Google Chrome, Mozilla Firefox and Apple Safari in new tests by NSS Labs to measure the ability of web browsers to block malware and catch click fraud which I’m sure comes as no surprise to you.

Here is the link to free NSS report so you can read about the methodology and get more specifics on their findings, but I do want to highlight some key food for thought that are things I think you can use in customer conversations around security solutions.

Right up front the report states: “The ineffectiveness of Web browser security is one of the most common reasons for malware infection. Browsers offer a direct and unique route for infection, bypassing corporate protection layers and bringing malware deep into the corporate environment, often protecting it from detection using SSL.” Wow, that’s a sure-fire security conversation starter IMHO. The report goes on to make the case that “Browsers must provide a strong layer of defense from malware, rather than defer to operating system antimalware solutions.” Of course, I couldn’t agree more. And, if you agree as well, then that’s where you begin to make the case around how Microsoft “gets” security on multiple levels and why we take care to make our browser THE most secure. If you’ve followed my blog for long, you know that I’ve tried to help you understand how Microsoft, in the last decade, has basically gone from worst (or at least it seemed so in the 90’s) to first (now generally regarded as the industry leading) in the area of security – ever since we launched the Trustworthy Computing Initiative early last decade. I’ve said it many times, you can bet that if it’s good enough for us to use (as one of the most targeted companies out there), and we do “eat our own dogfood (use our own technologies)”, then it will work for you. But the real point of this is as stated above, the browser you use is a real factor in your vulnerability to malware infection, and IE (9 or higher) has been proven (according to NSS) to be your most secure browser option.

Just quickly to recap some of the main things to know about the report: The tested products were Apple Safari v5, Google Chrome v15-19, Microsoft Internet Explorer 9, and Mozilla Firefox v7-13. Over 3 million test cases were used. Their recommendations were that: 1) users should evaluate browser security as part of their layered security strategy, 2) Businesses (or their partners) should perform a risk analysis of the browsers in the organization to determine if unjustified risk exists, and 3) they pointed out that the findings in their report were intended solely to assist in the selection of the browser most appropriate for malware protection needs and that malware infection rather than exploits were the subject of this test and thus readers should not draw overly broad conclusions based upon this report alone.

OK, hopefully you are now armed with some additional security oriented talking points for your customer conversation.